Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-48020

CSRF in mod/forum/subscribe_ajax.php

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 2.8
    • Fix Version/s: 2.8
    • Component/s: Forum
    • Labels:
    • Testing Instructions:
      Hide
      1. Toggle subscription to discussions with JS
        • Confirm that your changes were respected and no errors thrown
      2. Try to (deliberately) remove the sesskey
        • Confirm that you get an error about missing sesskey checks
      Show
      Toggle subscription to discussions with JS Confirm that your changes were respected and no errors thrown Try to (deliberately) remove the sesskey Confirm that you get an error about missing sesskey checks
    • Affected Branches:
      MOODLE_28_STABLE
    • Fixed Branches:
      MOODLE_28_STABLE

      Description

      where is sesskey check? There is no need for optional_param('sesskey')

      Also the \mod_forum\subscriptions::subscribe_user_to_discussion() should check if user is guest account.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Fix Release Date:
                  10/Nov/14